···
configFile = pkgs.writeText "vault.hcl" ''
address = "${cfg.address}"
10
-
tls_cert_file = "${cfg.tlsCertFile}"
11
-
tls_key_file = "${cfg.tlsKeyFile}"
10
+
${if (cfg.tlsCertFile == null || cfg.tlsKeyFile == null) then ''
11
+
tls_disable = "true"
13
+
tls_cert_file = "${cfg.tlsCertFile}"
14
+
tls_key_file = "${cfg.tlsKeyFile}"
${cfg.listenerExtraConfig}
storage "${cfg.storageBackend}" {
···
39
-
default = "/etc/vault/cert.pem";
42
+
type = types.nullOr types.str;
example = "/path/to/your/cert.pem";
41
-
description = "TLS certificate file. A self-signed certificate will be generated if file not exists";
45
+
description = "TLS certificate file. TLS will be disabled unless this option is set";
46
-
default = "/etc/vault/key.pem";
49
+
type = types.nullOr types.str;
example = "/path/to/your/key.pem";
48
-
description = "TLS private key file. A self-signed certificate will be generated if file not exists";
52
+
description = "TLS private key file. TLS will be disabled unless this option is set";
listenerExtraConfig = mkOption {
···
preStart = optionalString (localDir != null) ''
install -d -m0700 -o vault -g vault "${localDir}"
113
-
# generate a self-signed certificate, you will have to set environment variable "VAULT_SKIP_VERIFY=1" in the client
114
-
if [ ! -s ${cfg.tlsCertFile} -o ! -s ${cfg.tlsKeyFile} ]; then
115
-
mkdir -p $(dirname ${cfg.tlsCertFile}) || true
116
-
mkdir -p $(dirname ${cfg.tlsKeyFile }) || true
117
-
${pkgs.openssl.bin}/bin/openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 99999 \
118
-
-subj /C=US/ST=NY/L=NYC/O=vault/CN=${cfg.address} \
119
-
-keyout ${cfg.tlsKeyFile} -out ${cfg.tlsCertFile}
121
-
chown root:vault ${cfg.tlsKeyFile} ${cfg.tlsCertFile}
122
-
chmod 440 ${cfg.tlsKeyFile} ${cfg.tlsCertFile}
pyrox.dev